Google, Intel Warn on ‘Zero-Click’ Kernel Bug in Linux-Based IoT Devices

  • Intel and Google are urging consumers to update the Linux kernel to model 5.9 or later.

    Google and Intel are warning of a high-severity flaw in BlueZ, the Linux Bluetooth protocol stack that delivers assist for core Bluetooth levels and protocols to Linux-centered internet of things (IoT) products.

    Simply click to Sign up!

    According to Google, the vulnerability impacts people of Linux kernel variations right before 5.9 that help BlueZ. BlueZ, which is an open-source venture dispersed under GNU Basic General public License (GPL), features the BlueZ kernel that has been element of the official Linux kernel given that edition 2.4.6.

    The flaw, which Google calls “BleedingTooth,” can be exploited in a “zero-click” attack by using specifically crafted input, by a area, unauthenticated attacker. This could potentially permit for escalated privileges on influenced products.

    “A distant attacker in short distance understanding the victim’s bd [Bluetooth] deal with can deliver a malicious l2cap [Logical Link Control and Adaptation Layer Protocol] packet and lead to denial of company or possibly arbitrary code execution with kernel privileges,” according to a Google put up on Github. “Malicious Bluetooth chips can set off the vulnerability as perfectly.”

    The flaw (CVE-2020-12351) ranks 8.3 out of 10 on the CVSS scale, earning it higher-severity. It specifically stems from a heap-based mostly sort confusion in net/bluetooth/l2cap_main.c. A form-confusion vulnerability is a unique bug that can direct to out-of-bounds memory accessibility and can lead to code execution or ingredient crashes that an attacker can exploit. In this case, the issue is that there is inadequate validation of consumer-provided input within just the BlueZ implementation in Linux kernel.

    Intel, meanwhile, which has positioned “significant investment” in BlueZ, addressed the security issue in a Tuesday advisory, recommending that buyers update the Linux kernel to model 5.9 or later.

    “Potential security vulnerabilities in BlueZ may perhaps make it possible for escalation of privilege or details disclosure,” according to the security advisory. “BlueZ is releasing Linux kernel fixes to address these probable vulnerabilities.”

    Google has also printed evidence-of-thought exploit code for the flaw on GitHub. See a online video demo of BleedingTooth beneath:

    Intel also issued a resolve for two medium-severity flaws that have an impact on BlueZ, both of which stem from incorrect obtain regulate. That contains CVE-2020-12352, which could permit an unauthenticated consumer to potentially help facts disclosure via adjacent obtain.

    “A remote attacker in limited length recognizing the victim’s bd tackle can retrieve kernel-stack data made up of a variety of tips that can be utilised to forecast the memory format and to defeat KASLR,” according to a description on GitHub. “The leak may perhaps consist of other worthwhile details these as the encryption keys.”

    Another flaw (CVE-2020-24490) could permit an unauthenticated person to possibly allow denial of provider via adjacent accessibility. The flaw can be exploited by a remote attacker in short distance, who can broadcast extended promoting knowledge and result in a denial-of-company point out, or possibly arbitrary code execution with kernel privileges on target devices (if they are outfitted with Bluetooth 5 chips and are in scanning mode), according to Google.

    Andy Nguyen, security engineer with Google, was credited with exploring the flaw. Additional information will shortly be available on Google’s security site.

    On October 14 at 2 PM ET Get the most recent information on the soaring threats to retail e-commerce security and how to stop them. Register today for this Free of charge Threatpost webinar, “Retail Security: Magecart and the Increase of e-Commerce Threats.” Magecart and other danger actors are riding the increasing wave of on line retail utilization and racking up significant numbers of consumer victims. Find out how web-sites can avoid becoming the subsequent compromise as we go into the getaway year. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.